Getting to the of our AD domain migration but there is one step I haven't solved. Our users has UID/GID in the new domain while the already present users in the new domain does not. Assigning UID/GID to all users does not sit well with upstream IT so I am looking at what to do with these when they visit/access our site.
What comes to mind is partial id_mapping, if a user had UID/GID in the AD use that, otherwise do id_mapping for that user(preferably the same way samba does it since we already have a samba based interim solution).
I haven't found a way to do that in sssd, is there? Maybe I am just full of it and this is really a bad idea?
On 24.8.2016 09:03, Joakim Tjernlund wrote:
Getting to the of our AD domain migration but there is one step I haven't solved. Our users has UID/GID in the new domain while the already present users in the new domain does not. Assigning UID/GID to all users does not sit well with upstream IT so I am looking at what to do with these when they visit/access our site.
What comes to mind is partial id_mapping, if a user had UID/GID in the AD use that, otherwise do id_mapping for that user(preferably the same way samba does it since we already have a samba based interim solution).
I haven't found a way to do that in sssd, is there? Maybe I am just full of it and this is really a bad idea?
Are you using FreeIPA? FreeIPA got support for "ID Views" which can be used for this purpose. (I'm not very sure about pure-SSSD case.)
On Wed, 2016-08-24 at 09:14 +0200, Petr Spacek wrote:
On 24.8.2016 09:03, Joakim Tjernlund wrote:
Getting to the of our AD domain migration but there is one step I haven't solved. Our users has UID/GID in the new domain while the already present users in the new domain does not. Assigning UID/GID to all users does not sit well with upstream IT so I am looking at what to do with these when they visit/access our site.
What comes to mind is partial id_mapping, if a user had UID/GID in the AD use that, otherwise do id_mapping for that user(preferably the same way samba does it since we already have a samba based interim solution).
I haven't found a way to do that in sssd, is there? Maybe I am just full of it and this is really a bad idea?
Are you using FreeIPA? FreeIPA got support for "ID Views" which can be used for this purpose. (I'm not very sure about pure-SSSD case.)
I wish, but this is a Windows AD :(
On Wed, Aug 24, 2016 at 07:39:54AM +0000, Joakim Tjernlund wrote:
On Wed, 2016-08-24 at 09:14 +0200, Petr Spacek wrote:
On 24.8.2016 09:03, Joakim Tjernlund wrote:
Getting to the of our AD domain migration but there is one step I haven't solved. Our users has UID/GID in the new domain while the already present users in the new domain does not. Assigning UID/GID to all users does not sit well with upstream IT so I am looking at what to do with these when they visit/access our site.
What comes to mind is partial id_mapping, if a user had UID/GID in the AD use that, otherwise do id_mapping for that user(preferably the same way samba does it since we already have a samba based interim solution).
I haven't found a way to do that in sssd, is there? Maybe I am just full of it and this is really a bad idea?
Are you using FreeIPA? FreeIPA got support for "ID Views" which can be used for this purpose. (I'm not very sure about pure-SSSD case.)
I wish, but this is a Windows AD :(
Petr had IPA-AD trusts in mind, I guess.
Partial ID mapping is not possible, sorry.
On Wed, Aug 24, 2016 at 09:52:17AM +0200, Jakub Hrozek wrote:
On Wed, Aug 24, 2016 at 07:39:54AM +0000, Joakim Tjernlund wrote:
On Wed, 2016-08-24 at 09:14 +0200, Petr Spacek wrote:
On 24.8.2016 09:03, Joakim Tjernlund wrote:
Getting to the of our AD domain migration but there is one step I haven't solved. Our users has UID/GID in the new domain while the already present users in the new domain does not. Assigning UID/GID to all users does not sit well with upstream IT so I am looking at what to do with these when they visit/access our site.
What comes to mind is partial id_mapping, if a user had UID/GID in the AD use that, otherwise do id_mapping for that user(preferably the same way samba does it since we already have a samba based interim solution).
I haven't found a way to do that in sssd, is there? Maybe I am just full of it and this is really a bad idea?
Are you using FreeIPA? FreeIPA got support for "ID Views" which can be used for this purpose. (I'm not very sure about pure-SSSD case.)
It is also possible in the pure-SSSD case, see man sss_override for details.
I wish, but this is a Windows AD :(
Petr had IPA-AD trusts in mind, I guess.
Partial ID mapping is not possible, sorry.
yes, SSSD cannot do this automatically because we can never be sure that a UID/GID attribute will be added in future to a user who currently does not have them set.
But sss_override might help you. Depending on whether new users created in AD will have UID/GID set or not you can create overrides for the existing users with or without them and then use ldap_id_mapping 'true' or 'false' respectively.
Since this is not a centrally managed solution you have to do this on every host running SSSD and you have to load the overrides again each time you remove the cache, see user-import and user-export in man sss_override for details. Depending on the number of clients it might make sense to introduce FreeIPA to have a centrally manages solution for this.
bye, Sumit
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
On Wed, 2016-08-24 at 11:02 +0200, Sumit Bose wrote:
On Wed, Aug 24, 2016 at 09:52:17AM +0200, Jakub Hrozek wrote:
On Wed, Aug 24, 2016 at 07:39:54AM +0000, Joakim Tjernlund wrote:
On Wed, 2016-08-24 at 09:14 +0200, Petr Spacek wrote:
On 24.8.2016 09:03, Joakim Tjernlund wrote:
Getting to the of our AD domain migration but there is one step I haven't solved. Our users has UID/GID in the new domain while the already present users in the new domain does not. Assigning UID/GID to all users does not sit well with upstream IT so I am looking at what to do with these when they visit/access our site.
What comes to mind is partial id_mapping, if a user had UID/GID in the AD use that, otherwise do id_mapping for that user(preferably the same way samba does it since we already have a samba based interim solution).
I haven't found a way to do that in sssd, is there? Maybe I am just full of it and this is really a bad idea?
Are you using FreeIPA? FreeIPA got support for "ID Views" which can be used for this purpose. (I'm not very sure about pure-SSSD case.)
It is also possible in the pure-SSSD case, see man sss_override for details.
I wish, but this is a Windows AD :(
Petr had IPA-AD trusts in mind, I guess.
Partial ID mapping is not possible, sorry.
yes, SSSD cannot do this automatically because we can never be sure that a UID/GID attribute will be added in future to a user who currently does not have them set.
I see, but does not sssd refresh/check cached values against AD regularly? Or mark the non UID/GID user as do not cache?
But sss_override might help you. Depending on whether new users created in AD will have UID/GID set or not you can create overrides for the existing users with or without them and then use ldap_id_mapping 'true' or 'false' respectively.
Since this is not a centrally managed solution you have to do this on every host running SSSD and you have to load the overrides again each time you remove the cache, see user-import and user-export in man sss_override for details. Depending on the number of clients it might make sense to introduce FreeIPA to have a centrally manages solution for this.
Ouch, this is not really manageable.
Jocke
On (24/08/16 09:10), Joakim Tjernlund wrote:
On Wed, 2016-08-24 at 11:02 +0200, Sumit Bose wrote:
On Wed, Aug 24, 2016 at 09:52:17AM +0200, Jakub Hrozek wrote:
On Wed, Aug 24, 2016 at 07:39:54AM +0000, Joakim Tjernlund wrote:
On Wed, 2016-08-24 at 09:14 +0200, Petr Spacek wrote:
On 24.8.2016 09:03, Joakim Tjernlund wrote:
Getting to the of our AD domain migration but there is one step I haven't solved. Our users has UID/GID in the new domain while the already present users in the new domain does not. Assigning UID/GID to all users does not sit well with upstream IT so I am looking at what to do with these when they visit/access our site.
What comes to mind is partial id_mapping, if a user had UID/GID in the AD use that, otherwise do id_mapping for that user(preferably the same way samba does it since we already have a samba based interim solution).
I haven't found a way to do that in sssd, is there? Maybe I am just full of it and this is really a bad idea?
Are you using FreeIPA? FreeIPA got support for "ID Views" which can be used for this purpose. (I'm not very sure about pure-SSSD case.)
It is also possible in the pure-SSSD case, see man sss_override for details.
I wish, but this is a Windows AD :(
Petr had IPA-AD trusts in mind, I guess.
Partial ID mapping is not possible, sorry.
yes, SSSD cannot do this automatically because we can never be sure that a UID/GID attribute will be added in future to a user who currently does not have them set.
I see, but does not sssd refresh/check cached values against AD regularly? Or mark the non UID/GID user as do not cache?
I am not sure you understand it correctly.
sssd does not support partial ID mapping intentionally.
let's image. The partial ID mapping would be enabled but neither of uses have posix attibutes. So sssd would generate UID/GID from SID.
Then later someone decide to add UID and GID into Active Directory. But there is a chance that administrator would not be carefull and assign IDs which are already generated from SID for another user. If the another user had higer privileges then it would be a security problem.
That's the reason why sssd will never support fallback from posix attributes to ID mapping.
But sss_override might help you. Depending on whether new users created in AD will have UID/GID set or not you can create overrides for the existing users with or without them and then use ldap_id_mapping 'true' or 'false' respectively.
Since this is not a centrally managed solution you have to do this on every host running SSSD and you have to load the overrides again each time you remove the cache, see user-import and user-export in man sss_override for details. Depending on the number of clients it might make sense to introduce FreeIPA to have a centrally manages solution for this.
Ouch, this is not really manageable.
It is manageable with freeIPA <-> AD trusts. Because all overrrides will be stored in IPA server and all sssd clients would fetch them from single place.
LS
On Wed, Aug 24, 2016 at 01:33:33PM +0200, Lukas Slebodnik wrote:
On (24/08/16 09:10), Joakim Tjernlund wrote:
On Wed, 2016-08-24 at 11:02 +0200, Sumit Bose wrote:
On Wed, Aug 24, 2016 at 09:52:17AM +0200, Jakub Hrozek wrote:
On Wed, Aug 24, 2016 at 07:39:54AM +0000, Joakim Tjernlund wrote:
On Wed, 2016-08-24 at 09:14 +0200, Petr Spacek wrote:
On 24.8.2016 09:03, Joakim Tjernlund wrote: > > > Getting to the of our AD domain migration but there is one step I haven't solved. > Our users has UID/GID in the new domain while the already present users in the new domain > does not. Assigning UID/GID to all users does not sit well with upstream IT so I am > looking at what to do with these when they visit/access our site. > > What comes to mind is partial id_mapping, if a user had UID/GID in the AD use that, otherwise > do id_mapping for that user(preferably the same way samba does it since we already have a samba > based interim solution). > > I haven't found a way to do that in sssd, is there? > Maybe I am just full of it and this is really a bad idea?
Are you using FreeIPA? FreeIPA got support for "ID Views" which can be used for this purpose. (I'm not very sure about pure-SSSD case.)
It is also possible in the pure-SSSD case, see man sss_override for details.
I wish, but this is a Windows AD :(
Petr had IPA-AD trusts in mind, I guess.
Partial ID mapping is not possible, sorry.
yes, SSSD cannot do this automatically because we can never be sure that a UID/GID attribute will be added in future to a user who currently does not have them set.
I see, but does not sssd refresh/check cached values against AD regularly? Or mark the non UID/GID user as do not cache?
I am not sure you understand it correctly.
sssd does not support partial ID mapping intentionally.
let's image. The partial ID mapping would be enabled but neither of uses have posix attibutes. So sssd would generate UID/GID from SID.
Then later someone decide to add UID and GID into Active Directory. But there is a chance that administrator would not be carefull and assign IDs which are already generated from SID for another user. If the another user had higer privileges then it would be a security problem.
...also files would had to be chown-ed, so at the very least there is a huge annoyance to the admins and risk to locking out users away from their files because you forget to chown some files..
On Wed, 2016-08-24 at 15:19 +0200, Jakub Hrozek wrote:
On Wed, Aug 24, 2016 at 01:33:33PM +0200, Lukas Slebodnik wrote:
On (24/08/16 09:10), Joakim Tjernlund wrote:
On Wed, 2016-08-24 at 11:02 +0200, Sumit Bose wrote:
On Wed, Aug 24, 2016 at 09:52:17AM +0200, Jakub Hrozek wrote:
On Wed, Aug 24, 2016 at 07:39:54AM +0000, Joakim Tjernlund wrote:
On Wed, 2016-08-24 at 09:14 +0200, Petr Spacek wrote: > > > On 24.8.2016 09:03, Joakim Tjernlund wrote: > > > > > > > > Getting to the of our AD domain migration but there is one step I haven't solved. > > Our users has UID/GID in the new domain while the already present users in the new domain > > does not. Assigning UID/GID to all users does not sit well with upstream IT so I am > > looking at what to do with these when they visit/access our site. > > > > What comes to mind is partial id_mapping, if a user had UID/GID in the AD use that, otherwise > > do id_mapping for that user(preferably the same way samba does it since we already have a > > samba > > based interim solution). > > > > I haven't found a way to do that in sssd, is there? > > Maybe I am just full of it and this is really a bad idea? > > Are you using FreeIPA? FreeIPA got support for "ID Views" which can be used > for this purpose. (I'm not very sure about pure-SSSD case.)
It is also possible in the pure-SSSD case, see man sss_override for details.
I wish, but this is a Windows AD :(
Petr had IPA-AD trusts in mind, I guess.
Partial ID mapping is not possible, sorry.
yes, SSSD cannot do this automatically because we can never be sure that a UID/GID attribute will be added in future to a user who currently does not have them set.
I see, but does not sssd refresh/check cached values against AD regularly? Or mark the non UID/GID user as do not cache?
I am not sure you understand it correctly.
sssd does not support partial ID mapping intentionally.
let's image. The partial ID mapping would be enabled but neither of uses have posix attibutes. So sssd would generate UID/GID from SID.
Then later someone decide to add UID and GID into Active Directory. But there is a chance that administrator would not be carefull and assign IDs which are already generated from SID for another user. If the another user had higer privileges then it would be a security problem.
...also files would had to be chown-ed, so at the very least there is a huge annoyance to the admins and risk to locking out users away from their files because you forget to chown some files..
OK, so no good way to fix this problem as it is now. But, so I am sure, if we were get a subdomain to INFINERA.COM say SE.INFINERA.COM it would be possible to have UID/GID in SE.INFINERA.COM and idmapping in INFINERA.COM? What about group membership, can a SE.INFINERA.COM user be in a group in INFINERA.COM and vice versa?
But the we would have to deal with TRANSMODE.SE(old to be retired), SE.INFINERA.COM and INFINERA.COM in sssd.conf et. all?
Jocke
On 24.8.2016 15:59, Joakim Tjernlund wrote:
On Wed, 2016-08-24 at 15:19 +0200, Jakub Hrozek wrote:
On Wed, Aug 24, 2016 at 01:33:33PM +0200, Lukas Slebodnik wrote:
On (24/08/16 09:10), Joakim Tjernlund wrote:
On Wed, 2016-08-24 at 11:02 +0200, Sumit Bose wrote:
On Wed, Aug 24, 2016 at 09:52:17AM +0200, Jakub Hrozek wrote:
On Wed, Aug 24, 2016 at 07:39:54AM +0000, Joakim Tjernlund wrote: > > > On Wed, 2016-08-24 at 09:14 +0200, Petr Spacek wrote: >> >> >> On 24.8.2016 09:03, Joakim Tjernlund wrote: >>> >>> >>> >>> Getting to the of our AD domain migration but there is one step I haven't solved. >>> Our users has UID/GID in the new domain while the already present users in the new domain >>> does not. Assigning UID/GID to all users does not sit well with upstream IT so I am >>> looking at what to do with these when they visit/access our site. >>> >>> What comes to mind is partial id_mapping, if a user had UID/GID in the AD use that, otherwise >>> do id_mapping for that user(preferably the same way samba does it since we already have a >>> samba >>> based interim solution). >>> >>> I haven't found a way to do that in sssd, is there? >>> Maybe I am just full of it and this is really a bad idea? >> >> Are you using FreeIPA? FreeIPA got support for "ID Views" which can be used >> for this purpose. (I'm not very sure about pure-SSSD case.)
It is also possible in the pure-SSSD case, see man sss_override for details.
> > > > I wish, but this is a Windows AD :(
Petr had IPA-AD trusts in mind, I guess.
Partial ID mapping is not possible, sorry.
yes, SSSD cannot do this automatically because we can never be sure that a UID/GID attribute will be added in future to a user who currently does not have them set.
I see, but does not sssd refresh/check cached values against AD regularly? Or mark the non UID/GID user as do not cache?
I am not sure you understand it correctly.
sssd does not support partial ID mapping intentionally.
let's image. The partial ID mapping would be enabled but neither of uses have posix attibutes. So sssd would generate UID/GID from SID.
Then later someone decide to add UID and GID into Active Directory. But there is a chance that administrator would not be carefull and assign IDs which are already generated from SID for another user. If the another user had higer privileges then it would be a security problem.
...also files would had to be chown-ed, so at the very least there is a huge annoyance to the admins and risk to locking out users away from their files because you forget to chown some files..
OK, so no good way to fix this problem as it is now. But, so I am sure, if we were get a subdomain to INFINERA.COM say SE.INFINERA.COM it would be possible to have UID/GID in SE.INFINERA.COM and idmapping in INFINERA.COM? What about group membership, can a SE.INFINERA.COM user be in a group in INFINERA.COM and vice versa?
But the we would have to deal with TRANSMODE.SE(old to be retired), SE.INFINERA.COM and INFINERA.COM in sssd.conf et. all?
AFAIK IPA<->AD trust would allow you to have only the IPA domain in sssd.conf on clients and manage everything else on IPA servers/database. This includes UID/GID overrides and so on.
If you are interested in details, please ask freeipa-users@redhat.com mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users
On Wed, 2016-08-24 at 16:28 +0200, Petr Spacek wrote:
On 24.8.2016 15:59, Joakim Tjernlund wrote:
On Wed, 2016-08-24 at 15:19 +0200, Jakub Hrozek wrote:
On Wed, Aug 24, 2016 at 01:33:33PM +0200, Lukas Slebodnik wrote:
On (24/08/16 09:10), Joakim Tjernlund wrote:
On Wed, 2016-08-24 at 11:02 +0200, Sumit Bose wrote:
On Wed, Aug 24, 2016 at 09:52:17AM +0200, Jakub Hrozek wrote: > > > > On Wed, Aug 24, 2016 at 07:39:54AM +0000, Joakim Tjernlund wrote: > > > > > > > > On Wed, 2016-08-24 at 09:14 +0200, Petr Spacek wrote: > > > > > > > > > > > > On 24.8.2016 09:03, Joakim Tjernlund wrote: > > > > > > > > > > > > > > > > > > > > Getting to the of our AD domain migration but there is one step I haven't solved. > > > > Our users has UID/GID in the new domain while the already present users in the new domain > > > > does not. Assigning UID/GID to all users does not sit well with upstream IT so I am > > > > looking at what to do with these when they visit/access our site. > > > > > > > > What comes to mind is partial id_mapping, if a user had UID/GID in the AD use that, > > > > otherwise > > > > do id_mapping for that user(preferably the same way samba does it since we already have a > > > > samba > > > > based interim solution). > > > > > > > > I haven't found a way to do that in sssd, is there? > > > > Maybe I am just full of it and this is really a bad idea? > > > > > > Are you using FreeIPA? FreeIPA got support for "ID Views" which can be used > > > for this purpose. (I'm not very sure about pure-SSSD case.)
It is also possible in the pure-SSSD case, see man sss_override for details.
> > > > > > > > > > > > > I wish, but this is a Windows AD :( > > Petr had IPA-AD trusts in mind, I guess. > > Partial ID mapping is not possible, sorry.
yes, SSSD cannot do this automatically because we can never be sure that a UID/GID attribute will be added in future to a user who currently does not have them set.
I see, but does not sssd refresh/check cached values against AD regularly? Or mark the non UID/GID user as do not cache?
I am not sure you understand it correctly.
sssd does not support partial ID mapping intentionally.
let's image. The partial ID mapping would be enabled but neither of uses have posix attibutes. So sssd would generate UID/GID from SID.
Then later someone decide to add UID and GID into Active Directory. But there is a chance that administrator would not be carefull and assign IDs which are already generated from SID for another user. If the another user had higer privileges then it would be a security problem.
...also files would had to be chown-ed, so at the very least there is a huge annoyance to the admins and risk to locking out users away from their files because you forget to chown some files..
OK, so no good way to fix this problem as it is now. But, so I am sure, if we were get a subdomain to INFINERA.COM say SE.INFINERA.COM it would be possible to have UID/GID in SE.INFINERA.COM and idmapping in INFINERA.COM? What about group membership, can a SE.INFINERA.COM user be in a group in INFINERA.COM and vice versa?
But the we would have to deal with TRANSMODE.SE(old to be retired), SE.INFINERA.COM and INFINERA.COM in sssd.conf et. all?
AFAIK IPA<->AD trust would allow you to have only the IPA domain in sssd.conf on clients and manage everything else on IPA servers/database. This includes UID/GID overrides and so on.
hmm, I was thinking we would have a Windows AD subdomain. I think FreeIPA will be a bit too much for our IT staff to handle.
Jocke
On Wed, Aug 24, 2016 at 01:59:14PM +0000, Joakim Tjernlund wrote:
On Wed, 2016-08-24 at 15:19 +0200, Jakub Hrozek wrote:
On Wed, Aug 24, 2016 at 01:33:33PM +0200, Lukas Slebodnik wrote:
On (24/08/16 09:10), Joakim Tjernlund wrote:
On Wed, 2016-08-24 at 11:02 +0200, Sumit Bose wrote:
On Wed, Aug 24, 2016 at 09:52:17AM +0200, Jakub Hrozek wrote:
On Wed, Aug 24, 2016 at 07:39:54AM +0000, Joakim Tjernlund wrote: > > > On Wed, 2016-08-24 at 09:14 +0200, Petr Spacek wrote: > > > > > > On 24.8.2016 09:03, Joakim Tjernlund wrote: > > > > > > > > > > > > Getting to the of our AD domain migration but there is one step I haven't solved. > > > Our users has UID/GID in the new domain while the already present users in the new domain > > > does not. Assigning UID/GID to all users does not sit well with upstream IT so I am > > > looking at what to do with these when they visit/access our site. > > > > > > What comes to mind is partial id_mapping, if a user had UID/GID in the AD use that, otherwise > > > do id_mapping for that user(preferably the same way samba does it since we already have a > > > samba > > > based interim solution). > > > > > > I haven't found a way to do that in sssd, is there? > > > Maybe I am just full of it and this is really a bad idea? > > > > Are you using FreeIPA? FreeIPA got support for "ID Views" which can be used > > for this purpose. (I'm not very sure about pure-SSSD case.)
It is also possible in the pure-SSSD case, see man sss_override for details.
> > > > I wish, but this is a Windows AD :(
Petr had IPA-AD trusts in mind, I guess.
Partial ID mapping is not possible, sorry.
yes, SSSD cannot do this automatically because we can never be sure that a UID/GID attribute will be added in future to a user who currently does not have them set.
I see, but does not sssd refresh/check cached values against AD regularly? Or mark the non UID/GID user as do not cache?
I am not sure you understand it correctly.
sssd does not support partial ID mapping intentionally.
let's image. The partial ID mapping would be enabled but neither of uses have posix attibutes. So sssd would generate UID/GID from SID.
Then later someone decide to add UID and GID into Active Directory. But there is a chance that administrator would not be carefull and assign IDs which are already generated from SID for another user. If the another user had higer privileges then it would be a security problem.
...also files would had to be chown-ed, so at the very least there is a huge annoyance to the admins and risk to locking out users away from their files because you forget to chown some files..
OK, so no good way to fix this problem as it is now. But, so I am sure, if we were get a subdomain to INFINERA.COM say SE.INFINERA.COM it would be possible to have UID/GID in SE.INFINERA.COM and idmapping in INFINERA.COM? What about group membership, can a SE.INFINERA.COM user be in a group in INFINERA.COM and vice versa?
This is only possible if you define the domains separately in the config file:
[domain/infinera.com]
[domain/se.infinera.com]
Because current sssd versions don't support different configurations for the main domain and subdomain (and even if they did, I don't think allowing different ID mappings for different subdomains would be a good idea)
sssd-users@lists.fedorahosted.org